This document provides design guidance to deploy Out of Band (OOB)
Cisco Network Admission Control (NAC) appliance endpoint security in a Cisco
Unified Wireless Network deployment. These best practice recommendations assume
that a Cisco Unified Wireless Network has been deployed in accordance with the
guidelines provided in the
Enterprise
Mobility Design Guide 3.0.

The recommended design is the Virtual Gateway (Bridge Mode) and central
deployment OOB solution with RADIUS Single Sign-On. The Wireless Lan Controller
(WLC) must be placed L2 adjacent to the NAC server. The client associates to
the WLC, and WLC authenticates the user. Once the authentication is completed,
the user traffic goes through the quarantine VLAN from the WLC to the NAC
server. The posture assessment and remediation process take place. Once the
user is certified, the user VLAN changes from quarantine to access VLAN in the
WLC. The traffic bypasses the NAC server when moved to access VLAN.

This document is t restricted to specific software and hardware
versions.

NAC Server 3350 4.5

NAC Manager 3350 4.5

WLC 2106 5.1

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

Cisco NAC uses the network infrastructure to enforce security policy
compliance on all devices that seek to access network computing resources. With
the Cisco NAC appliance, network administrators can authenticate, authorize,
evaluate, and remediate wired, wireless, and remote users and their machines
prior to network access. The Cisco NAC appliance identifies whether networked
devices such as laptops, IP phones, or game consoles are compliant with network
security policies, and repairs any vulnerabilities before it permits access to
the network.

When the NAC appliance is configured as a virtual gateway, it acts as a
bridge between the end users and default gateway (router) for the client subnet
that is managed. For a given client VLAN, the NAC appliance bridges traffic
from its untrusted interface to its trusted interface. When it acts as a bridge
from the untrusted side to the trusted side of the appliance, two VLANs are
used. For example, Client VLAN 110 is defined between the wireless LAN
controller (WLC) and the untrusted interface of the NAC appliance. There is no
routed interface or switched virtual interface (SVI) associated with VLAN 110
on the distribution switch. VLAN 10 is configured between the trusted interface
of the NAC appliance and the next-hop router interface/SVI for the client
subnet. A mapping rule is made in the NAC appliance that forwards packets that
arrive on VLAN 110 out VLAN 10 when it swaps VLAN tag information as shown in
Fig 1-1. The process is reversed for packets that return to the client. Note
that, in this mode, BPDUs are not passed from the untrusted-side VLANs to their
trusted-side counterparts. The VLAN mapping option is usually chosen when the
NAC appliance is positioned logically inline between clients and the networks
that are protected. This bridging option must be used if the NAC appliance is
to be deployed in the virtual gateway mode with a Unified Wireless deployment.
Because the NAC server is aware of upper layer protocols,
by default it explicitly allows protocols that require it to connect to the
network in Authenticated Role, for example, DNS and DHCP.

Out-of-band deployments require user traffic to traverse through the
NAC appliance only within authentication, posture assessment, and remediation.
When a user is authenticated and passes all policy checks, the traffic is
switched normally through the network and bypasses the NAC server. For further
information, refer to Chapter 4 of the
Cisco
NAC Appliance-Clean Access Manager Installation and Administration
Guide.

When the NAC appliance is configured in this manner, the WLC is a
managed device in the NAC Manager, the same way that a Cisco switch is managed
by the NAC Manager. After the user is authenticated and passes posture
assessment, the NAC Manager instructs the WLC to tag the user traffic from the
NAC VLAN to access VLAN that offers access privileges.

Single sign-on (SSO) is an option that does not require user
intervention and is relatively straightforward to implement. It makes use of
the VPN SSO capability of the NAC solution, coupled with the Clean Access Agent
software that runs on the client PC. VPN SSO uses RADIUS accounting records to
notify the NAC appliance about authenticated remote access users that connect
to the network. In the same way, this feature can be used in conjunction with
the WLAN controller to automatically inform the NAC server about authenticated
wireless clients that connect to the network.

See Figures 1-3 through 1-6 for examples of a wireless client that
performs SSO authentication, posture assessment, remediation, and network
access through the NAC appliance.

This sequence is shown in Figure 1-3:

The wireless user performs 802.1x/EAP authentication through the
WLAN controller to an upstream AAA server.

The client obtains an IP address from either AAA or a DHCP
server.

After the client receives an IP address, the WLC forwards a RADIUS
accounting (start) record to the NAC appliance, which includes the IP address
of the wireless client.

Note: The WLC controller uses a single RADIUS accounting record (start)
for 802.1x client authentication and IP address assignment, while the Cisco
Catalyst switches send two accounting records: an accounting start is sent
after 802.1x client authentication, and an interim update is sent after the
client is assigned an IP address.

After it detects network connectivity, the NAC Agent attempts to
connect to the CAM (with the SWISS protocol). Traffic is intercepted by the NAC
server, which, in turn, queries the NAC Manager to determine whether the user
is in the online user list. Only clients that are authenticated are in the
online user list, which is the case in the example above as a result of the
RADIUS update in step 3.

The NAC Agent performs a local assessment of the security/risk
posture of the client machine and forwards the assessment to the NAC server for
network admission determination.

Figure 1-3 Client Authentication Process and Posture
Assessment

This sequence takes place in Figure 1-4:

The NAC appliance forwards the agent assessment to the NAC
Appliance Manager (CAM).

In this example, the CAM determines that the client is not in
compliance and instructs the NAC appliance to put the user into a quarantine
role.

The NAC appliance then sends remediation information to the client
agent.

Figure 1-4 Posture Assessment Information from CAS to CAM

This sequence takes place in Figure 1-5:

The Client Agent displays the time that remains to accomplish
remediation.

The Agent guides the user step-by-step through the remediation
process; for example, in the update of the anti-virus definition
file.

After remediation completion, the agent updates the NAC
server.

The CAM displays an Acceptable Use Policy (AUP) statement to the
user.

After it accepts the AUP, the NAC appliance switches the user to an
online (authorized) role.

The SSO functionality populates the online user list with the
client IP address. After remediation, an entry for the host is added to the
certified list. Both of these tables (together with the discovered clients
table) are maintained by the CAM (NAC Appliance Manager).

The NAC Manager sends an SNMP write notification to WLC to change
the user VLAN from quarantine to access VLAN.

The user traffic starts to leave the WLC with the access VLAN tag.
The NAC server no longer is in the path for this particular user
traffic.

Figure 1-6 Certified Client Bypass the CAS by Switching
Over to Access VLAN

The most transparent method to facilitate wireless user authentication
is to enable VPN-SSO authentication on the NAC server and configure the WLCs to
forward RADIUS accounting to the NAC server. In the event that accounting
records need to be forwarded to a RADIUS server upstream in the network, the
NAC server can be configured to forward the accounting packet to the RADIUS
server.

Note: If VPN-SSO authentication is enabled without the Clean Access agent
installed on the client PC, the user is still automatically authenticated.
However, they are not automatically connected through the NAC appliance until
their web browser is opened and a connection attempt is made. In this case,
when the user opens their web browser, they are momentarily redirected (without
a logon prompt) within the “agent-less” phase. When SSO process is complete,
they are connected to their originally requested URL.

In the current NAC implementation WLC integrates with the Cisco NAC
appliance in in-band mode only, where the NAC appliance has to remain in data
path even after the user is certified. Once the NAC appliance completes its
posture validation, the employee/guest receives access of the network based on
their role.

With the NAC 4.5 and WLC 5.1 release, the wireless NAC solution
supports OOB integration with NAC appliance. When the client associates and
completes L2Auth, it is checked whether the quarantine interface is associated
to the WLAN/SSID. If yes, the initial traffic is sent on the quarantine
interface. The client traffic flows in quarantine VLAN, which is trunked to the
NAC appliance. Once posture validation is done, the NAC Manager sends an SNMP
set message that updates the access VLAN ID; the controller updates itself with
the access VLAN ID, and data traffic starts switching from the controller
directly to the network without the NAC server.

In Figure 2-1, the WLC is connected to a trunk port that carries the
quarantine VLAN and access VLAN (176 and 175). On the switch, the quarantine
VLAN traffic is trunked to the NAC appliance, and the access VLAN traffic is
trunked directly to the Layer3 switch. Traffic that reaches the quarantine VLAN
on the NAC appliance is mapped to access the VLAN based on static mapping
configuration. When client associates complete the L2 Auth, it checks if the
quarantine interface is associated; if yes, the data is sent on the quarantine
interface. The client traffic flows in the quarantine VLAN, which is trunked to
the NAC appliance. Once posture validation is done, the NAC server (CAS ) sends
an SNMP set message that updates the access VLAN ID to the controller, and the
data traffic starts to switch from the WLC directly to the network without the
NAC server.

Enable VPN authentication on the NAC server — WLC is defined as
“VPN concentrator” in the NAC appliance.

Enable RADIUS accounting on the WLC — the controller that is
defined in the NAC appliance must be configured to send RADIUS accounting
records to the NAC appliance for each 802.1x/EAP WLAN that is a managed subnet
in the NAC.

From the CAM left-hand menu, under Device Management, choose
CCA Server, and then click the NAC Server
link.

From the Server Status page, choose the
Authentication tab and then the VPN Auth
sub-menu. See Figure 3-1.

Figure 3-1 Enabling the Single Sign-On NAC
Server

Choose the VPN Concentrators Setting (Figure 3-2)
to add a new entry of WLC. Populate the entry fields for the WLC Management IP
address and shared secret you want to use between the WLC and NAC
server.

Figure 3-2 Add WLC as a RADIUS Client Under VPN
Concentrator Section

For Role Mapping, add the new authentication server with type
vpn sso under User Management > Auth
Servers.

Click the Mapping icon and then add
Mapping Rule. The mapping varies dependent upon the class
attribute 25 value that WLC sends in the accounting packet. This attribute
value is configured in the RADIUS Server and varies based upon the user
authorization. In this example, the attribute value is
ALLOWALL, and it is placed in the role
AllowAll.

Under VPN Auth, go to the Active Client subsection to
verify whether the accounting start packet has arrived from the WLC. This entry
shows up with the CCA agent installed on the client machine.

You need to open a browser to complete the Single Sign-On process
without an agent. When the user opens the browser, the SSO process takes place,
and the user shows up in the Online User List (OUL). With the RADIUS accounting
stop packet, the user is removed from the Active Client
list.